Harden Microsoft Intune: What the CISA Advisory Means for Your Tenant

What happened

On March 11, 2026, Iran-linked threat group Handala breached Stryker Corporation’s Microsoft environment and used Intune’s built-in device wipe command to erase more than 200,000 endpoints across factories in the U.S., Ireland, India, and other countries. The attackers claim to have exfiltrated 50 terabytes of data before triggering the wipe. Stryker struggled to recover for over a week. Some of the wiped devices were personal equipment with Intune installed, meaning employees lost non-company data as well.

On March 18, CISA and the FBI published a joint advisory urging organizations to harden their endpoint management systems immediately. The advisory references Microsoft’s newly released best practices for securing Intune and applies broadly to any organization managing devices through a cloud-based endpoint management platform.

The critical detail: the attackers did not exploit a software vulnerability. They compromised an administrative account and used the platform’s own legitimate features to wipe every enrolled device. No malware was deployed. The management plane itself was the weapon.

Install-Module Microsoft.Graph, ExchangeOnlineManagement -Scope CurrentUser
irm https://raw.githubusercontent.com/Galvnyz/StrykerScan/main/Invoke-StrykerScan.ps1 | iex

Why endpoint management systems are high-value targets

Intune and similar MDM/UEM platforms have sweeping control over every enrolled device. An administrator with the right permissions can push policies, deploy applications, reset passwords, and wipe devices at scale. That level of access is the entire point of the tool, but it also means a single compromised admin account can cause catastrophic damage in minutes.

Most tenants make this worse by relying on default role assignments. Out of the box, Intune’s built-in administrator roles are broad. The Intune Administrator role in Entra ID grants full access to every Intune feature, including destructive actions like device wipes and factory resets. If that role is assigned permanently to multiple accounts without additional safeguards, any one of those accounts becomes a single point of failure. The Stryker breach demonstrated exactly what that failure looks like at scale.

Lock down RBAC roles

CISA’s first recommendation is to implement least privilege through Intune’s role-based access control. Start by auditing who currently holds Intune administrative roles in your tenant. In the Intune admin center, navigate to Tenant administration > Roles to review all role assignments.

The goal is to separate destructive capabilities from day-to-day management. Create custom roles that grant only the permissions each team member actually needs. A helpdesk technician who resets passwords and checks compliance status does not need the ability to wipe devices. A policy administrator who manages configuration profiles does not need access to app deployment.

Pay particular attention to these high-impact permissions:

• Device wipe and retire — restrict to a dedicated role held by a small number of senior administrators
• Policy creation and modification — separate from device management roles
• App deployment — scope to specific device groups rather than granting tenant-wide access

Use Intune’s scope tags to further limit what each administrator can see and manage. Scope tags let you segment your environment so that an admin responsible for one region or department cannot accidentally (or intentionally) affect devices outside their scope.

Enable Multi-Admin Approval

This is the single most impactful control against a Stryker-style attack. CISA specifically recommends configuring access policies that require a second administrative account’s approval before high-impact actions can execute.

Multi-Admin Approval means that even if an attacker compromises one admin account, they cannot unilaterally wipe devices, push destructive policies, or deploy malicious applications. A second, independent administrator must review and approve the action before it takes effect.

To configure it, go to Tenant administration > Multi admin approval in the Intune admin center. Create an access protection policy that defines which actions require approval and designate the group of administrators who can approve requests. At a minimum, require approval for:

• Device wipe and retire actions
• Compliance policy changes
• App deployment to large device groups

The approving administrators should be a separate group from those who initiate the actions. This separation of duties ensures that compromising a single account, or even a single team, is not enough to execute a destructive action.

Harden identity with Entra ID

CISA’s advisory emphasizes using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Intune. This means layering identity controls on top of Intune’s own RBAC.

Require phishing-resistant MFA for all Intune admin roles. Password-plus-SMS is not sufficient for accounts that can wipe thousands of devices. Enforce FIDO2 security keys or Windows Hello for Business for any account that holds Intune administrative permissions. Configure this through Conditional Access policies that target the Intune admin roles specifically.

Restrict where and how admins can authenticate. Create Conditional Access policies that block Intune admin portal access from non-compliant devices, untrusted networks, and high-risk sign-in sessions. If an admin account suddenly authenticates from an unfamiliar location at 3 AM, Conditional Access should block that session before it reaches Intune.

Use Privileged Identity Management (PIM). Instead of permanently assigning Intune Administrator or similar roles, make them eligible through PIM. Administrators activate the role only when they need it, provide a justification, and the assignment expires automatically after a defined window. This shrinks the attack surface dramatically: even if an attacker compromises an admin’s credentials, the privileged role is not active by default. PIM also creates an audit trail of every activation, making it easier to detect suspicious access patterns.

Verify your posture

Manually checking every RBAC assignment, Conditional Access policy, and PIM configuration across a tenant is tedious and easy to get wrong. You can verify many of these settings automatically with M365-Assess, which evaluates your tenant’s Intune configuration against established security baselines. It checks compliance policies, conditional access enforcement, device management settings, and whether unmanaged devices can access corporate data.

If you have not run an assessment before, the step-by-step guide walks through the full process. The tool is read-only and does not modify your tenant. Running it after implementing the hardening steps above gives you a concrete before-and-after view of your posture improvement.

For a faster, targeted check against the specific Stryker attack pattern, run StrykerScan — the 20 checks map directly to the hardening steps in this post and give you a concrete readiness score.

Key takeaways

The Stryker breach was not a sophisticated exploit. It was an admin account compromise followed by the use of a built-in feature. The defenses are straightforward:

• Audit and restrict RBAC roles — no one should hold device wipe permissions who does not absolutely need them
• Enable Multi-Admin Approval — require a second admin to approve destructive actions
• Enforce phishing-resistant MFA — on every account with Intune administrative access
• Deploy Conditional Access — block privileged access from untrusted devices and locations
• Use PIM for just-in-time access — make admin roles eligible, not permanent
• Run StrykerScan — get a concrete readiness score against this specific attack pattern

Read the full CISA advisory for the complete set of recommendations. If you manage devices through any endpoint management platform, not just Intune, the same principles apply. Lock down the management plane before someone else uses it against you.